Why the pandemic shouldn’t stop providers from focusing on critical security and compliance gaps.
By Gerry Blass and Helen Oscislawski, Esq.
For better and worse, the COVID-19 pandemic has shifted our focus to a new paradigm of remote work and patient care. Healthcare providers and technology companies moved quickly to implement and scale solutions to enable patient care and business operations in a completely new model.
However, even the most up-to-date and comprehensive business continuity plans strained under the rate of change in 2020. In the wake of this unprecedented public health emergency response, strict attentiveness to compliance, security and privacy, and interoperability may not have been as robust as it could have been.
As we begin the new year, it’s time for healthcare organizations and providers to recapture their focus on these vital security and compliance strategies to protect their patients and their business, and to be ready for impending regulatory requirements.
In working with healthcare providers across the country, we are already seeing a renewed focus on security and compliance. Let’s look at four main reasons why this is happening, along with practical tips to bolster security and compliance.
Reason #1: Providers Need to Make Up for Lost Time
In the weeks after the pandemic emerged, virtual health services were implemented at a breakneck pace to enable remote patient care. Operationally, IT teams had to develop telecommuting infrastructures virtually overnight.
Unfortunately, the speed and scale at which these initiatives had to be implemented, as well as the shift of resources to other critical areas, potentially introduced gaps and new vulnerabilities.
For example, some telecommuting practices opened the door for employees to access and use electronic protected health information (ePHI) at home or through unsecured public Wi-Fi connections. Such practices are inherently high-risk, with a greater potential to lose control of ePHI.
How can providers play catch-up in 2021?
Begin with a full security risk assessment (SRA). Ideally, an SRA would be completed or reviewed by the end of the year to comply with HIPAA, Promoting Interoperability (previously known as the “meaningful use” EHR Incentive Program), and other cybersecurity frameworks.
However, many healthcare organizations put conducting an SRA on the back burner for the whole of 2020, and this may still be the case for those in crisis mode as the pandemic surges through a third wave.
We recommend that healthcare organizations not only refocus on security in 2021, but also increase the scope of their SRAs to incorporate recent technology and operational changes that may have introduced new vulnerabilities, including:
- New telecommuting and telehealth systems
- New third-party vendors
- Organizational, technical, and physical changes
- New locations of ePHI
- Transmission and use of ePHI from home or non-network computers
- Use of Wi-Fi and VPN
- Other new patient care practices, such as virtual services provided from outside the US
Reason #2: Bad Actors Are Coming Out of the Woodwork
Another byproduct of the pandemic? Cyberattackers know that new vulnerabilities exist and are taking full advantage of the chaos by “developing a host of COVID-19 fraud schemes, phishing attacks, and related cyber threats designed to prey on natural fears… Many of the cyberattacks relied on tried and true attack methods: schemes aimed at taking advantage of human nature,” according to an article in Health IT Security.1
Though many healthcare organizations have done a commendable job implementing new remote technologies under urgent circumstances, would-be attackers know that vulnerabilities exist and can be exploited.
What are the best ways to close the gaps so bad actors cannot get in? There are a variety of high-level security and compliance strategies organizations can do today, including:
- Review and update disaster recovery/business continuity (DR/BC) plans and emergency operations plans (EOPs), adding pandemic assessment and response planning
- Retrain staff to be more vigilant about email phishing and other targeted hacking campaigns
- Conduct workforce testing to identify and mitigate new vulnerabilities and reduce the risk of being victims of cyberattacks
Reason #3: Information Blocking Compliance
Information blocking will shape 2021, bringing an entirely new model of moving and sharing data. Most organizations felt a sense a relief when the compliance deadline for the information blocking final rule was pushed back in response to the coronavirus pandemic. This meant more breathing room to revisit data-sharing workflows.
According to Don Rucker, MD, national coordinator for health IT, “The ONC [Office of the Nation Coordinator for Health IT] is not removing the requirements advancing patient access to their health information that are outlined in the Cures Act final rule. Rather, we are providing additional time to allow everyone in the health care ecosystem to focus on COVID-19 response.”2
This relief will not last long, however. April 5 is the new deadline for a subset of the requirements to be fulfilled. To move forward, a wide range of healthcare providers, including hospitals, long-term care facilities, home health entities, FQHCs, doctors, dentists, therapists and many others,3 need to be in a position to meet certain mandated criteria to ensure that patients can obtain their electronic health information (EHI) as requested, without interference. Workflows for responding to requests for access to or copies of EHI by other third parties also will need to be reviewed.
Compliance with information blocking rules requires, among other things, healthcare providers to have a detailed understanding of their existing security policies and responses to risks, and a point-by-point strategy for how to manage requests coming in to an EHR or other systems of record. Granting this type of access introduces new potential vulnerabilities, complications, and windows through which bad actors can enter a healthcare organization’s network.
A HIPAA security risk analysis is one way to begin, but ONC said it may not be enough. Other frameworks, such as the NIST Cybersecurity Framework, must be used to ensure a comprehensive framework for identifying security risks and appropriateness of security practices that adhere to “best practices” as is required by the information blocking rule security exception.
Reason #4: Temporary HIPAA Waivers Will Be Lifted
The temporary HIPAA waivers created in response to COVID-19 gave providers enough latitude to be able to deal with the crisis at hand. The waivers will remain in place for the duration of the public health emergency. However, they will eventually be lifted, and the temporary provisions made for the use of telehealth applications and services will no longer apply.
Do not wait for the waivers to expire.
We recommend that healthcare organizations start now on fulfilling compliance standards for any new technology or processes put in place to manage during the pandemic. Take the time to re-evaluate new third-party vendors’ security and compliance standards, get appropriate business associate agreements (BAAs) in place, or switch to different vendors if needed.
In addition, providers should be prepared for potential future changes to the HIPAA Privacy Rule, which “will facilitate greater family and caregiver involvement in the care of individuals experiencing emergencies or health crises and enhance flexibility for disclosures in emergency or threatening circumstances, such as the opioid and COVID-19 public health emergencies.”4
On December 10, 2020, the Office for Civil Rights released a Notice of Proposed Rulemaking, which will modify the HIPAA Privacy Rule to support and remove barriers to coordinated care and individual patient engagement.5
Catching up on security and compliance will not be easy. Hospitals and other providers will have to judge for themselves—and be honest with themselves—on what is most practical for them. If they are not experiencing overwhelming capacity issues due to the pandemic, it’s time to turn attention to recapturing compliance.
Don’t fall into a trap of using the pandemic as a justification for continuing to keep substandard security and compliance in place. There are inherent high risks in doing so. No matter the pandemic status for your organization, you still could be targeted for cyberattacks and still work to comply with forthcoming federal regulations.
References
- Davis, Jessica. “The 10 biggest healthcare data breaches of 2020.” Health IT Security. December 10, 2020. https://healthitsecurity.com/news/the-10-biggest-healthcare-data-breaches-of-2020.
- US Department of Health and Human Services (HHS). HHS extends compliance dates for information blocking and health IT certification requirements in 21st Century Cures Act Final Rule. October 29, 2020. https://www.federalregister.gov/documents/2020/11/04/2020-24376/information-blocking-and-the-onc-health-it-certification-program-extension-of-compliance-dates-and.
- Oscislawski, Helen. “Who is on the ‘hook’ for information blocking?” Legal Health Information Exchange. October 21, 2020. www.legalhie.com/who-is-on-the-hook-for-information-blocking.
- Landi, Heather. “HHS proposes changes to HIPAA privacy rule to improve care coordination.” FierceHealthcare. December 10, 2020. www.fiercehealthcare.com/tech/hhs-proposes-changes-to-hippa-privacy-rule-to-improve-care-coordination.
- HHS Office for Civil Rights. Proposed modifications to the HIPAA privacy rule to support, and remove barriers to, coordinated care and individual engagement. www.hhs.gov/sites/default/files/hhs-ocr-hipaa-nprm.pdf.
Gerry Blass (gerry@complyassistant.com) is president and CEO at ComplyAssistant and brings over 35 years of experience in healthcare information technology.
Helen Oscislawski (helen@oscislaw.com) is a corporate and regulatory attorney whose practice for over the last 20 years has focused almost exclusively on advising and representing clients in the health care industry. She is the founding member of Attorneys at Oscislawski LLC.